He also shared his plan to launch a "comprehensive, top-to-bottom investigation of all computing and information systems" - both the central ones operated by the University, as well as the local systems operated by individual administrative and academic units.
The investigation will first scan all databases on the systems to discover what information they contain. "There are thousands of databases throughout the campus, many created years ago when the environment for cyber threats was different," he commented.
Depending on the findings, each database will either be deleted (if not relevant and needed anymore) or protected more fully.
Secondly, from now on, all University systems will regularly be subjected to penetration testing.
"Third, we will review the appropriate balance between centralized (University-operated) versus decentralized (unit-operated) IT systems. There must be policy changes to accompany technical fixes," he explained.
"We understand the needs of individual units to control their own servers and databases. We must also ensure that safeguards at central and local levels are equally robust and tightly coordinated."
This will all be executed by the newly formed President's Task Force on Cybersecurity, which will consist of experts from the University campus and the Maryland Cybersecurity Center. They will be aided by a yet unnamed cybersecurity company "with advanced hacking capabilities."
The revised breach FAQ section also offers very helpful information about how affected individuals can activate their credit protection, and that needed to place a security freeze on their credit file.
"State and federal law enforcement agencies, the U.S. Secret Service, consultants from the MITRE Corporation, and our own campus IT security personnel are working together to find out how the attackers penetrated our multiple layers of security. This forensic analysis will enable us to defend against this type of attack in the future. It will also provide clues as to who were the attackers," explained Loh, adding that "there is no impregnable barrier against every fiendishly skillful cyber-attack."
"In today's digital world, each of us must take reasonable steps to ensure our own information security. Therefore, the University will present a series of identity theft seminars to all our students, faculty, staff, and alumni. The seminars—which will also be recorded and later made available online—will feature experts on how to safeguard your sensitive information," he announced.